documentation_complete: true


title: 'Ensure Fedora GPG Key Installed'

description: |-
    To ensure the system can cryptographically verify base software
    packages come from Fedora (and to connect to the Fedora Network to
    receive them), the Fedora GPG key must properly be installed.
    To install the Fedora GPG key, run one of the commands below, depending on your Fedora version:
    <pre>$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-{{{ latest_version }}}-primary</pre>"
    <pre>$ sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-{{{ previous_version }}}-primary</pre>"

rationale: |-
    Changes to software components can have significant effects on the
    overall security of the operating system. This requirement ensures
    the software has not been tampered with and that it has been provided
    by a trusted vendor. The Fedora GPG key is necessary to
    cryptographically verify packages are from Fedora."

severity: high

references:
    cis-csc: 11,2,3,9
    cjis: 5.10.4.1
    cobit5: APO01.06,BAI03.05,BAI06.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS06.02
    cui: 3.4.8
    hipaa: 164.308(a)(1)(ii)(D),164.312(b),164.312(c)(1),164.312(c)(2),164.312(e)(2)(i)
    isa-62443-2009: 4.3.4.3.2,4.3.4.3.3,4.3.4.4.4
    isa-62443-2013: 'SR 3.1,SR 3.3,SR 3.4,SR 3.8,SR 7.6'
    iso27001-2013: A.11.2.4,A.12.1.2,A.12.2.1,A.12.5.1,A.12.6.2,A.14.1.2,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4
    nist: CM-5(3),SI-7,SC-12,SC-12(3),CM-6(a)
    nist-csf: PR.DS-6,PR.DS-8,PR.IP-1
    pcidss: Req-6.2

ocil_clause: 'the Fedora GPG Key is not installed'

ocil: |-
    To ensure that the GPG key is installed, run:
    <pre>$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey</pre>
    The command should return one of the strings below:
    <pre>gpg(Fedora {{{ rawhide_version }}} ({{{ rawhide_version }}}) &lt;fedora-{{{ rawhide_version }}}@fedoraproject.org&gt;)</pre>
    <pre>gpg(Fedora {{{ future_version }}} ({{{ future_version }}}) &lt;fedora-{{{ future_version }}}@fedoraproject.org&gt;)</pre>
    <pre>gpg(Fedora {{{ latest_version }}} ({{{ latest_version }}}) &lt;fedora-{{{ latest_version }}}@fedoraproject.org&gt;)</pre>
    <pre>gpg(Fedora {{{ previous_version }}} ({{{ previous_version }}}) &lt;fedora-{{{ previous_version }}}@fedoraproject.org&gt;)</pre>